holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Finish stop generation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5552 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-16 00:58:25 +00:00
parent 0628dd8593
commit 9795430f8d
2 changed files with 151 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
New/Shorewall/Rules.pm
View File

@ -259,8 +259,6 @@ sub process_routestopped() {
my $fn = find_file 'routestopped'; my $fn = find_file 'routestopped';
my ( @allhosts, %source, %dest ); my ( @allhosts, %source, %dest );
@critical = ();
progress_message2 "$doing $fn..."; progress_message2 "$doing $fn...";
open RS, "$ENV{TMP_DIR}/routestopped" or fatal_error "Unable to open stripped routestopped file: $!"; open RS, "$ENV{TMP_DIR}/routestopped" or fatal_error "Unable to open stripped routestopped file: $!";
@ -311,7 +309,7 @@ sub process_routestopped() {
$dest{"$interface:$host"} = 1; $dest{"$interface:$host"} = 1;
} }
} else { } else {
warning_message "Unknown routestopped option ( $option ) ignored in routestopped entry \"$line\"" $option eq 'critical'; warning_message "Unknown routestopped option ( $option ) ignored in routestopped entry \"$line\"" unless $option eq 'critical';
} }
} }
} }
@ -322,7 +320,7 @@ sub process_routestopped() {
close RS; close RS;
for my $host ( @allhosts ) { for my $host ( @allhosts ) {
my ( $interface, $h ) = split /,/, $host; my ( $interface, $h ) = split /:/, $host;
my $source = match_source_net $h; my $source = match_source_net $h;
my $dest = match_dest_net $h; my $dest = match_dest_net $h;
@ -344,7 +342,7 @@ sub process_routestopped() {
unless ( $matched ) { unless ( $matched ) {
for my $host1 ( @allhosts ) { for my $host1 ( @allhosts ) {
unless ( $host eq $host1 ) { unless ( $host eq $host1 ) {
my ( $interface1, $h1 ) = split /,/, $host1; my ( $interface1, $h1 ) = split /:/, $host1;
my $dest1 = match_dest_net $h1; my $dest1 = match_dest_net $h1;
emit "\$IPTABLES -A FORWARD -i $interface -o $interface1 $source $dest1 -j ACCEPT"; emit "\$IPTABLES -A FORWARD -i $interface -o $interface1 $source $dest1 -j ACCEPT";
} }

170
New/compiler.pl
View File

@ -156,12 +156,9 @@ sub generate_script_1 {
sub compile_stop_firewall() { sub compile_stop_firewall() {
emit "#\n# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command\n#"; emit "
emit "stop_firewall() {\n";
emit << "EOF";
# #
# Stop/restore the firewall after an error or because of a "stop" or "clear" command # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
# #
stop_firewall() { stop_firewall() {
@ -199,20 +196,20 @@ stop_firewall() {
case \$COMMAND in case \$COMMAND in
start) start)
logger -p kern.err "ERROR:\$PRODUCT start failed" logger -p kern.err \"ERROR:\$PRODUCT start failed\"
;; ;;
restart) restart)
logger -p kern.err "ERROR:\$PRODUCT restart failed" logger -p kern.err \"ERROR:\$PRODUCT restart failed\"
;; ;;
restore) restore)
logger -p kern.err "ERROR:\$PRODUCT restore failed" logger -p kern.err \"ERROR:\$PRODUCT restore failed\"
;; ;;
esac esac
if [ "\$RESTOREFILE" = NONE ]; then if [ \"\$RESTOREFILE\" = NONE ]; then
COMMAND=clear COMMAND=clear
clear_firewall clear_firewall
echo "\$PRODUCT Cleared" echo \"\$PRODUCT Cleared\"
kill \$\$ kill \$\$
exit 2 exit 2
@ -238,10 +235,10 @@ stop_firewall() {
echo Restoring \${PRODUCT:=Shorewall}... echo Restoring \${PRODUCT:=Shorewall}...
if \$RESTOREPATH restore; then if \$RESTOREPATH restore; then
echo "\$PRODUCT restored from \$RESTOREPATH" echo \"\$PRODUCT restored from \$RESTOREPATH\"
set_state "Started" set_state \"Started\"
else else
set_state "Unknown" set_state \"Unknown\"
fi fi
kill \$\$ kill \$\$
@ -251,9 +248,9 @@ stop_firewall() {
;; ;;
esac esac
set_state "Stopping" set_state \"Stopping\"
STOPPING="Yes" STOPPING=\"Yes\"
TERMINATOR= TERMINATOR=
@ -262,7 +259,8 @@ stop_firewall() {
determine_capabilities determine_capabilities
run_stop_exit; run_stop_exit;
if [ -n "\$MANGLE_ENABLED" ]; then
if [ -n \"\$MANGLE_ENABLED\" ]; then
run_iptables -t mangle -F run_iptables -t mangle -F
run_iptables -t mangle -X run_iptables -t mangle -X
for chain in PREROUTING INPUT FORWARD POSTROUTING; do for chain in PREROUTING INPUT FORWARD POSTROUTING; do
@ -270,7 +268,7 @@ stop_firewall() {
done done
fi fi
if [ -n "\$RAW_TABLE" ]; then if [ -n \"\$RAW_TABLE\" ]; then
run_iptables -t raw -F run_iptables -t raw -F
run_iptables -t raw -X run_iptables -t raw -X
for chain in PREROUTING OUTPUT; do for chain in PREROUTING OUTPUT; do
@ -278,7 +276,7 @@ stop_firewall() {
done done
fi fi
if [ -n "\$NAT_ENABLED" ]; then if [ -n \"\$NAT_ENABLED\" ]; then
delete_nat delete_nat
for chain in PREROUTING POSTROUTING OUTPUT; do for chain in PREROUTING POSTROUTING OUTPUT; do
qt \$IPTABLES -t nat -P \$chain ACCEPT qt \$IPTABLES -t nat -P \$chain ACCEPT
@ -288,7 +286,7 @@ stop_firewall() {
if [ -f \${VARDIR}/proxyarp ]; then if [ -f \${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do while read address interface external haveroute; do
qt arp -i \$external -d \$address pub qt arp -i \$external -d \$address pub
[ -z "\${haveroute}\${NOROUTES}" ] && qt ip route del \$address dev \$interface [ -z \"\${haveroute}\${NOROUTES}\" ] && qt ip route del \$address dev \$interface
done < \${VARDIR}/proxyarp done < \${VARDIR}/proxyarp
for f in /proc/sys/net/ipv4/conf/*; do for f in /proc/sys/net/ipv4/conf/*; do
@ -296,16 +294,17 @@ stop_firewall() {
done done
fi fi
rm -f \${VARDIR}/proxyarp rm -f \${VARDIR}/proxyarp\n";
EOF
push_indent;
emit 'delete_tc1' if $config{CLEAR_TC}; emit 'delete_tc1' if $config{CLEAR_TC};
emit 'undo_routing'; emit 'undo_routing';
emit 'restore_default_route'; emit 'restore_default_route';
my @criticalhosts = process_criticalhosts; my $criticalhosts = process_criticalhosts;
if ( @criticalhosts ) { if ( $criticalhosts ) {
if ( $config{ADMINISABSENTMINDED} ) { if ( $config{ADMINISABSENTMINDED} ) {
emit 'for chain in INPUT OUTPUT; do'; emit 'for chain in INPUT OUTPUT; do';
emit ' setpolicy \$chain ACCEPT'; emit ' setpolicy \$chain ACCEPT';
@ -315,12 +314,131 @@ EOF
emit "deleteallchains\n"; emit "deleteallchains\n";
for my $hosts ( @criticalhosts ) { for my $hosts ( @$criticalhosts ) {
my ( $interface, $host ) = ( split /,/, $hosts ); my ( $interface, $host ) = ( split /,/, $hosts );
my $source = match_source_net $host;
my $dest = match_dest_net $host;
emit "\$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
emit "\$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
}
pop_indent;
emit "
for chain in INPUT OUTPUT; do
setpolicy \$chain DROP
done
";
} else {
pop_indent;
emit "
for chain in INPUT OUTPUT; do
setpolicy \$chain ACCEPT
done
setpolicy FORWARD DROP
deleteallchains
";
for my $hosts ( @$criticalhosts ) {
my ( $interface, $host ) = ( split /,/, $hosts );
my $source = match_source_net $host;
my $dest = match_dest_net $host;
emit "\$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
emit "\$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT";
}
emit "
setpolicy INPUT DROP
for chain in INPUT FORWARD; do
setcontinue \$chain
done
";
}
} elsif ( ! $config{ADMINISABSENTMINDED} ) {
pop_indent;
emit "
for chain in INPUT OUTPUT FORWARD; do
setpolicy \$chain DROP
done
deleteallchains
";
} else {
pop_indent;
emit "
for chain in INPUT FORWARD; do
setpolicy \$chain DROP
done
setpolicy OUTPUT ACCEPT
deleteallchains
for chain in INPUT FORWARD; do
setcontinue \$chain
done
";
}
push_indent;
process_routestopped;
emit '$IPTABLES -A INPUT -i lo -j ACCEPT';
emit '$IPTABLES -A OUTPUT -o lo -j ACCEPT';
emit '$IPTABLES -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
my $interfaces = find_interfaces_by_option 'dhcp';
for my $interface ( @$interfaces ) {
emit "\$IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT";
emit "\$IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED};
#
# This might be a bridge
#
emit "\$IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT";
}
emit '';
if ( $config{IP_FORWARDING} =~ /on/i ) {
emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
emit 'progress_message2 IP Forwarding Enabled';
} elsif ( $config{IP_FORWARDING} =~ /off/i ) {
emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
emit 'progress_message2 IP Forwarding Disabled!';
}
append_file 'stopped';
pop_indent;
emit "
set_state \"Stopped\"
logger -p kern.info \"\$PRODUCT Stopped\"
case \$COMMAND in
stop|clear)
;;
*)
#
# The firewall is being stopped when we were trying to do something
# else. Remove the lock file and Kill the shell in case we're in a
# subshell
#
kill \$\$
;;
esac
}";
} }
sub generate_script_2 () { sub generate_script_2 () {
@ -464,6 +582,10 @@ sub compile_firewall( $ ) {
progress_message2 "Validating Policy file..."; progress_message2 "Validating Policy file...";
validate_policy; validate_policy;
# #
# Compile the 'stop_firewall()' function
#
compile_stop_firewall;
#
# Start Second Part of script # Start Second Part of script
# #
generate_script_2; generate_script_2;